Forgot your password?
typodupeerror
Security IOS Iphone Power

Researchers Infect iOS Devices With Malware Via Malicious Charger 201

Posted by timothy
from the nobody-wants-some-iphone-with-a-social-disease dept.
Sparrowvsrevolution writes "At the upcoming Black Hat security conference in late July, three researchers at the Georgia Institute of Technology plan to show off a proof-of-concept charger that they say can be used to invisibly install malware on a device running the latest version of Apple's iOS. A description of their talk posted to the conference website describes how they were able to install whatever malware they wished on an Apple device within a minute of the user plugging it into their malicious charger, which they're calling 'Mactans' after the scientific name of a Black Widow spider. The malware-loaded USB plug is built around an open-source single-board computer known as a BeagleBoard, sold by Texas Instruments for a retail price of around $45. The researchers have contacted Apple about their exploit but haven't heard back from the company and aren't sharing more details of their hack until they do."
This discussion has been archived. No new comments can be posted.

Researchers Infect iOS Devices With Malware Via Malicious Charger

Comments Filter:
  • by muphin (842524) on Monday June 03, 2013 @08:08AM (#43894763) Homepage
    would PairLock [iphonehacks.com] be a possible solution, would that work?
    • by Joce640k (829181)

      I dunno...but how is this new exploit "news" if there's utility utilities like PairLock to prevent it?

    • Any time you plug your iOS device into another computer, this trusted pairing relationship gets automatically created within seconds. The only time this doesn’t occur is if the device is locked with a PIN – and I mean really locked; if you have anything other than “Require Passcode: Immediately” set, then it will remain unlocked for a while even after you shut off the screen.

      So if you're in unknown territory, set a passcode and put it on immediate expiration, and you can be a bit more cavalier. It's too bad Apple doesn't allow you iOS to into "turtle mode" so that you can force this behavior at will, while keeping a more pragmatic stance (say 5m lock timeout).

  • Physical Access (Score:2, Insightful)

    by Anonymous Coward

    Physical access to a device allows for far too many attack vectors to protect against. News at 11

    • Re:Physical Access (Score:5, Informative)

      by Anonymous Coward on Monday June 03, 2013 @08:20AM (#43894819)

      This is not an "open the device and latch on to some henceforth unprotected internal signal" attack vector. Attaching the phone to someone else's charger is not unusual behavior. For the Olympic Games in London, Vodafone fitted 1000 taxis with mobile phone chargers.

    • Except physical access doesn't refer to peripherals.

      • Re:Physical Access (Score:4, Insightful)

        by slim (1652) <john.hartnup@net> on Monday June 03, 2013 @09:20AM (#43895269) Homepage

        Well, there's a continuum.

        Sneaking into someone's office and putting a keylogger inline with their keyboard cable is an example of physical access making black-hat hacking easy.

        Sneaking into the same office and plugging a PwnPlug or similar into the physical network is another example.

        Those two are increasingly far from actually directly looking at filesystem blocks, but put you at an advantage compared to someone trying to get to a system from the other side of a firewall.

    • Re:Physical Access (Score:4, Interesting)

      by fuzzyfuzzyfungus (1223518) on Monday June 03, 2013 @08:23AM (#43894849) Journal

      Physical access to a device allows for far too many attack vectors to protect against. News at 11

      I think the issue here is that 'plausible, easy-to-engineer, physical access allows a demonstrated attack against a device'.

      Also, at an architectural level, having an idevice plugged in is much closer to having a network connection [theiphonewiki.com] to a computer than it is to having 'physical access'. It's a bit weirder than a pure USB network adapter; but it's essentially a chat, over TCP, with a remote computer, not total control over a USB MSC device or something of that flavor.

      • Re: (Score:2, Informative)

        by AmiMoJo (196126) *

        And remember, all this is to support Apple's DRM that blocks 3rd party chargers (or at least prevents them using the fast charge rate).

        Providing phone chargers is a common courtesy in some countries, e.g. Japan. Most hotels and bars will have a load of chargers behind the front desk to lend out, for example.

        • I assume that the lighting auth chip makes the behavior even more complex, under the surface; but I think that the network-like behavior happens on all iOS devices, regardless of connnector type. The ipods(aside from the Touch, which is more or less a cost-reduced iphone without the cell modem) were slightly eccentric mass storage class devices, or the firewire equivalent; but none of the iOS devices ever exposed their storage directly, you have to go through their OS for access.

        • by EzInKy (115248)

          If Apple guarantees that they will pay for any damage incurred using an Apple product then Apple would lead the market anywhere! Wake me up when this is the case.

        • by Thomasje (709120)

          And remember, all this is to support Apple's DRM that blocks 3rd party chargers (or at least prevents them using the fast charge rate).

          Huh? I use a third-party car charger, and it fast-charges my iPhone just fine.

          • You probably use a licensed third-party car charger.

        • by jo_ham (604554)

          What are you on about?

          I fast charge my iPhone with a third party charger all the time. I'd post a video of me doing it, but you'd probably dismiss it as some sort of propaganda and clearly falsified somehow.

          You might want to check on reality before you start whoring for karma with outright lies on slashdot.

          Also, not that you've been at all accurate in your post, but even if this were the case, there's a difference between a proprietary charging protocol/data exchange (the iOS device attempts to negotiate a

          • by AmiMoJo (196126) *

            Here is some detail on what Apple did: http://www.ladyada.net/make/mintyboost/icharge.html [ladyada.net]

            The standard way of signalling that 1A is available is to tie D+ and D- together. This is part of the USB spec. Apple went their own way so that iDevices would only draw 0.5A from these chargers. Only an Apple charger will deliver 1A to them.

            Later on Apple changed this so that their devices were compatible with 1A chargers, but only because they introduced a 2A charger and new DRM system that requires comms with the ch

        • by 0x000000 (841725)

          Why does this guy keep getting modded up to informative? There is no Apple DRM, there is no blocking of 3rd party chargers. Apple devices while charging look for certain voltages on the D+/D- lines, there is absolutely no communication between the device and the charger. The only reason there is a requirement for certain voltages on the D+/D- lines is so that the Apple device knows it is safe to pull a certain amount of amperage from the charger...

        • Re:Physical Access (Score:4, Informative)

          by BasilBrush (643681) on Monday June 03, 2013 @12:15PM (#43896877)

          This is just nonsense. USB spec limits the power available for charging. Lots of manufacturers have handshaking going on so that when their products are used with their own chargers, they abandon the spec limits and use this own limits. There's no other way of doing it whilst staying within the USB spec. It's got fuck all to do with drm and everything to do with making sure the charge rate is safe.

          • by AmiMoJo (196126) *

            Try reading the USB Battery Charging Specification. Wikipedia [wikipedia.org] has a summary.

            Basically a normal port can supply 500mA. Dedicated charging ports can supply up to 1.5A through a standard A/B connector or IIRC 2.2A through Micro USB. The standard defines a way to signal that the port is a high current charging port.

            • Try reading the USB Battery Charging Specification.

              ... of 2007. Apple's more configurable set of charging states dates back to when the iPod could be charged from USB - 2003.

              There was no standard for fast charging when Apple designed it.

        • by dissy (172727)

          This is the 3rd time you have been corrected and yet keep repeating these lies.

          Apple did NOT invent the USB 2.0 spec. They had nothing to do with it beyond using it.

          Stop lying about apple inventing things they did not invent

          Stop lying about Android, with your claims that not a single android device can talk to a computer over USB.

          Stop lying about resistors being secret government microprocessors capable of complex digital communications.

          Just stop lying.

  • Connectors (Score:5, Funny)

    by Nerdfest (867930) on Monday June 03, 2013 @08:13AM (#43894783)

    I consider any charger with one of those proprietary connectors a 'malicious' charger.

  • by fuzzyfuzzyfungus (1223518) on Monday June 03, 2013 @08:15AM (#43894793) Journal

    It's a pity that the 'lighting' connector's dependence on an in-cable processor likely makes it more complex to use the old power-only mod...

    Not all USB devices play nicely(some phones require either a full USB host or some goofy resistor-coding nonsense on the data pins, and some USB hosts don't power USB ports, or only provide 100ma, unless the USB peripheral negotiates appropriately on the data pins); but it is generally possible(sometimes with resistor hackery, and for 'dumb' chargers and USB ports that don't need negotiation for power) to use a USB cable with the data lines cut and just power and ground attached for charging. Certainly the only thing I'd trust when plugging into some arbitrary port...

    • by tlhIngan (30335)

      It's a pity that the 'lighting' connector's dependence on an in-cable processor likely makes it more complex to use the old power-only mod...

      You still can do it - you're working with the regular USB cable (the A plug) side still.

      The coding exists on the other end and does nothing.

      This hack is NOT about a charger. The hack is basically saying someone could hide a regular computer inside a charger. So when you plug into the USB plug, you're actually establishing a sync connection, not just a power connection.

      • by chrism238 (657741)

        So the real issues is that these guys found a way to inject software onto it - less a charger security hole and more a regular iOS USB security hole.

        So wonder if this could be a new jailbreaking vector?

  • by MavEtJu (241979) <slashdotNO@SPAMmavetju.org> on Monday June 03, 2013 @08:16AM (#43894799) Homepage

    Mental note: Don't use these public chargers anymore...
    (Google for "iphone charging point airport")

  • They should have saved this exploit for jailbreaking than to report it, comsidering the chances of an in-the-wild infection are low. Public charge stations are quite uncommon.

  • Legal team (Score:2, Flamebait)

    by whargoul (932206)
    We've seen how this plays out in the past. The first contact Apple is going to make is with their legal team to sue those researchers out of existence. How dare they discover a hole and tell them about it.
    • by AC-x (735297)

      Can you show a single previous instance of Apple suing a security researcher? I certainly can't find anything.

      • He doesn't need to. He's decided that Apple is evil, and he's thought of something that an evil company could do. Therefore, apple does it. No evidence required.

    • by jo_ham (604554)

      You're going to need to provide some proof of that.

      Also, you'll have to explain the many hundreds of entries in Apple's own kb entries going back many years for security updates where they specifically mention third parties who have identified security holes that are fixed in that particular update. I assume they thanked them for finding the hole and *then* sued them out of existence? Or do they sue first, then personally thank them? Not sure how it works, but since you seem to be an expert on this, I'll bo

    • by Skapare (16644)

      The researchers have contacted Apple about their exploit but haven't heard back from the company and aren't sharing more details of their hack until they do.

      Well, that seems to be simple ... Apple will just never contact them.

  • Didn't they do this last year? Provide a charging kiosk which was able to (as a proof of concept) infiltrate the devices plugged into it?

  • Inquiring minds want to know.

  • by bfmorgan (839462) on Monday June 03, 2013 @09:18AM (#43895249)
    Always practice "Safe Charging"
  • If your device's connection can do both charging and data transfers, then it's only normal that it can be vulnerable to hacking via anything which connects to its port. Now, some USB cables only transfer power and that MIGHT be a saving grace, but the again, for the most part, a charger that can deliver malware would be no different than a device connected to a PC's USB port, even if only for the purpose of charging the device. Nothing would stop some malware from detecting the device and upload some crap
  • Inductive charging (Score:5, Interesting)

    by bored (40072) on Monday June 03, 2013 @10:25AM (#43895849)

    What amazes me is that inductive charging hasn't taken over. I was a skeptic, when I got my touchpad a couple years ago. The ability to just drop the pad on a dock without worrying too much about positioning/etc quickly sold me on the idea. Same thing with the veer I purchased as well. Just drop it on the dock and the magnets align it.

    Now every-time I plug in the wifes ipad, or android phone I cringe. Small easily broken connectors are something that should be a last resort.

    Oh, and the touchpad prompts the user before allowing communication on the USB port.

    • by 0x000000 (841725)

      The biggest problem I have with my Touchpad (I own one too) is that when inductively charging it won't charge nearly as fast, and I've had plenty of times where it has been sitting on the inductive charger for a day or so, and I pick it up and 20 minutes later the battery is dead. Whereas charging it over USB seems to always charge it fully and properly.

      • by bored (40072)

        Are you using a 3rd party case? I have the HP case and it works fine, although I've heard of people having issues with other cases. I also think there was a bad firmware version in there that screwed up the inductive charging, I would make sure your not running that version.

        With mine, I put it on the base and make sure I hear it go boing and then forget about it. If it doesn't go boing (or sometimes goes boing more than once) I do a better job positioning it on the charger. That is what is nice about the ve

  • The researchers have contacted Apple about their exploit but haven't heard back from the company and aren't sharing more details of their hack until they do.

    With this attitude, don't expect Apple to ever contact them.

    • I think the "aren't sharing the details" refers to sharing details with the public till Apple rolls out a fix, not Apple.

  • by Animats (122034) on Monday June 03, 2013 @12:08PM (#43896789) Homepage

    I warned about that in 2009. [slashdot.org]

    We warned you. You didn't listen. Now suffer.

  • by joh (27088) on Monday June 03, 2013 @12:47PM (#43897327)

    Some people seem to miss this, so: This is just an exploit over USB. The fact that the code runs on Linux that runs on a small board that you could integrate into a (somewhat bulky) "charger" has nothing to do with what is happening here.

    The only REALLY interesting thing here is that they seemingly have found a new exploit for iOS. Because, believe it or not, up to now the latest iOS version is watertight, there is no way to access data on the phone via USB (or any other means) or install software on it.

    At least this could mean that there will be a Jailbreak for the latest iOS sooner or later. Well, at least if someone manages to turn this exploit into some jailbreak app before Apple fixes this exploit with an update to iOS.

  • by Bert64 (520050) <bert&slashdot,firenzee,com> on Monday June 03, 2013 @01:38PM (#43897953) Homepage

    It seems you run a usb based exploit against the phone, in the same way that several jailbreaks have worked in the past...
    The key problem here seems to be that the charger and the data port are combined, if you were to provide an ability to split the two then such attacks would be infeasible. As it stands, various public places provide phone chargers which would be risky to use, whereas if they could only provide power the risk would be significantly lower (they could still provide an extremely high current to intentionally destroy your phone).

    • by joh (27088)

      If this threat becomes real (that is if Apple doesn't fix the bug that enables the exploit very soon) you could build an smart adapter that makes sure that only power gets through and no data. If you think that enough people care about that go to Kickstarter and get rich.

"All my life I wanted to be someone; I guess I should have been more specific." -- Jane Wagner

Working...